1c6672fdcSEdison Ai // SPDX-License-Identifier: Apache-2.0 2817466cbSJens Wiklander /* 3817466cbSJens Wiklander * NIST SP800-38C compliant CCM implementation 4817466cbSJens Wiklander * 5817466cbSJens Wiklander * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 6817466cbSJens Wiklander * 7817466cbSJens Wiklander * Licensed under the Apache License, Version 2.0 (the "License"); you may 8817466cbSJens Wiklander * not use this file except in compliance with the License. 9817466cbSJens Wiklander * You may obtain a copy of the License at 10817466cbSJens Wiklander * 11817466cbSJens Wiklander * http://www.apache.org/licenses/LICENSE-2.0 12817466cbSJens Wiklander * 13817466cbSJens Wiklander * Unless required by applicable law or agreed to in writing, software 14817466cbSJens Wiklander * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15817466cbSJens Wiklander * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16817466cbSJens Wiklander * See the License for the specific language governing permissions and 17817466cbSJens Wiklander * limitations under the License. 18817466cbSJens Wiklander * 19817466cbSJens Wiklander * This file is part of mbed TLS (https://tls.mbed.org) 20817466cbSJens Wiklander */ 21817466cbSJens Wiklander 22817466cbSJens Wiklander /* 23817466cbSJens Wiklander * Definition of CCM: 24817466cbSJens Wiklander * http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf 25817466cbSJens Wiklander * RFC 3610 "Counter with CBC-MAC (CCM)" 26817466cbSJens Wiklander * 27817466cbSJens Wiklander * Related: 28817466cbSJens Wiklander * RFC 5116 "An Interface and Algorithms for Authenticated Encryption" 29817466cbSJens Wiklander */ 30817466cbSJens Wiklander 31817466cbSJens Wiklander #if !defined(MBEDTLS_CONFIG_FILE) 32817466cbSJens Wiklander #include "mbedtls/config.h" 33817466cbSJens Wiklander #else 34817466cbSJens Wiklander #include MBEDTLS_CONFIG_FILE 35817466cbSJens Wiklander #endif 36817466cbSJens Wiklander 37817466cbSJens Wiklander #if defined(MBEDTLS_CCM_C) 38817466cbSJens Wiklander 39817466cbSJens Wiklander #include "mbedtls/ccm.h" 40*3d3b0591SJens Wiklander #include "mbedtls/platform_util.h" 41817466cbSJens Wiklander 42817466cbSJens Wiklander #include <string.h> 43817466cbSJens Wiklander 44817466cbSJens Wiklander #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C) 45817466cbSJens Wiklander #if defined(MBEDTLS_PLATFORM_C) 46817466cbSJens Wiklander #include "mbedtls/platform.h" 47817466cbSJens Wiklander #else 48817466cbSJens Wiklander #include <stdio.h> 49817466cbSJens Wiklander #define mbedtls_printf printf 50817466cbSJens Wiklander #endif /* MBEDTLS_PLATFORM_C */ 51817466cbSJens Wiklander #endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */ 52817466cbSJens Wiklander 53*3d3b0591SJens Wiklander #if !defined(MBEDTLS_CCM_ALT) 54*3d3b0591SJens Wiklander 55*3d3b0591SJens Wiklander #define CCM_VALIDATE_RET( cond ) \ 56*3d3b0591SJens Wiklander MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CCM_BAD_INPUT ) 57*3d3b0591SJens Wiklander #define CCM_VALIDATE( cond ) \ 58*3d3b0591SJens Wiklander MBEDTLS_INTERNAL_VALIDATE( cond ) 59817466cbSJens Wiklander 60817466cbSJens Wiklander #define CCM_ENCRYPT 0 61817466cbSJens Wiklander #define CCM_DECRYPT 1 62817466cbSJens Wiklander 63817466cbSJens Wiklander /* 64817466cbSJens Wiklander * Initialize context 65817466cbSJens Wiklander */ 66817466cbSJens Wiklander void mbedtls_ccm_init( mbedtls_ccm_context *ctx ) 67817466cbSJens Wiklander { 68*3d3b0591SJens Wiklander CCM_VALIDATE( ctx != NULL ); 69817466cbSJens Wiklander memset( ctx, 0, sizeof( mbedtls_ccm_context ) ); 70817466cbSJens Wiklander } 71817466cbSJens Wiklander 72817466cbSJens Wiklander int mbedtls_ccm_setkey( mbedtls_ccm_context *ctx, 73817466cbSJens Wiklander mbedtls_cipher_id_t cipher, 74817466cbSJens Wiklander const unsigned char *key, 75817466cbSJens Wiklander unsigned int keybits ) 76817466cbSJens Wiklander { 77817466cbSJens Wiklander int ret; 78817466cbSJens Wiklander const mbedtls_cipher_info_t *cipher_info; 79817466cbSJens Wiklander 80*3d3b0591SJens Wiklander CCM_VALIDATE_RET( ctx != NULL ); 81*3d3b0591SJens Wiklander CCM_VALIDATE_RET( key != NULL ); 82*3d3b0591SJens Wiklander 83817466cbSJens Wiklander cipher_info = mbedtls_cipher_info_from_values( cipher, keybits, MBEDTLS_MODE_ECB ); 84817466cbSJens Wiklander if( cipher_info == NULL ) 85817466cbSJens Wiklander return( MBEDTLS_ERR_CCM_BAD_INPUT ); 86817466cbSJens Wiklander 87817466cbSJens Wiklander if( cipher_info->block_size != 16 ) 88817466cbSJens Wiklander return( MBEDTLS_ERR_CCM_BAD_INPUT ); 89817466cbSJens Wiklander 90817466cbSJens Wiklander mbedtls_cipher_free( &ctx->cipher_ctx ); 91817466cbSJens Wiklander 92817466cbSJens Wiklander if( ( ret = mbedtls_cipher_setup( &ctx->cipher_ctx, cipher_info ) ) != 0 ) 93817466cbSJens Wiklander return( ret ); 94817466cbSJens Wiklander 95817466cbSJens Wiklander if( ( ret = mbedtls_cipher_setkey( &ctx->cipher_ctx, key, keybits, 96817466cbSJens Wiklander MBEDTLS_ENCRYPT ) ) != 0 ) 97817466cbSJens Wiklander { 98817466cbSJens Wiklander return( ret ); 99817466cbSJens Wiklander } 100817466cbSJens Wiklander 101817466cbSJens Wiklander return( 0 ); 102817466cbSJens Wiklander } 103817466cbSJens Wiklander 104817466cbSJens Wiklander /* 105817466cbSJens Wiklander * Free context 106817466cbSJens Wiklander */ 107817466cbSJens Wiklander void mbedtls_ccm_free( mbedtls_ccm_context *ctx ) 108817466cbSJens Wiklander { 109*3d3b0591SJens Wiklander if( ctx == NULL ) 110*3d3b0591SJens Wiklander return; 111817466cbSJens Wiklander mbedtls_cipher_free( &ctx->cipher_ctx ); 112*3d3b0591SJens Wiklander mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ccm_context ) ); 113817466cbSJens Wiklander } 114817466cbSJens Wiklander 115817466cbSJens Wiklander /* 116817466cbSJens Wiklander * Macros for common operations. 117817466cbSJens Wiklander * Results in smaller compiled code than static inline functions. 118817466cbSJens Wiklander */ 119817466cbSJens Wiklander 120817466cbSJens Wiklander /* 121817466cbSJens Wiklander * Update the CBC-MAC state in y using a block in b 122817466cbSJens Wiklander * (Always using b as the source helps the compiler optimise a bit better.) 123817466cbSJens Wiklander */ 124817466cbSJens Wiklander #define UPDATE_CBC_MAC \ 125817466cbSJens Wiklander for( i = 0; i < 16; i++ ) \ 126817466cbSJens Wiklander y[i] ^= b[i]; \ 127817466cbSJens Wiklander \ 128817466cbSJens Wiklander if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, y, 16, y, &olen ) ) != 0 ) \ 129817466cbSJens Wiklander return( ret ); 130817466cbSJens Wiklander 131817466cbSJens Wiklander /* 132817466cbSJens Wiklander * Encrypt or decrypt a partial block with CTR 133817466cbSJens Wiklander * Warning: using b for temporary storage! src and dst must not be b! 134817466cbSJens Wiklander * This avoids allocating one more 16 bytes buffer while allowing src == dst. 135817466cbSJens Wiklander */ 136817466cbSJens Wiklander #define CTR_CRYPT( dst, src, len ) \ 137817466cbSJens Wiklander if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctr, 16, b, &olen ) ) != 0 ) \ 138817466cbSJens Wiklander return( ret ); \ 139817466cbSJens Wiklander \ 140817466cbSJens Wiklander for( i = 0; i < len; i++ ) \ 141817466cbSJens Wiklander dst[i] = src[i] ^ b[i]; 142817466cbSJens Wiklander 143817466cbSJens Wiklander /* 144817466cbSJens Wiklander * Authenticated encryption or decryption 145817466cbSJens Wiklander */ 146817466cbSJens Wiklander static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length, 147817466cbSJens Wiklander const unsigned char *iv, size_t iv_len, 148817466cbSJens Wiklander const unsigned char *add, size_t add_len, 149817466cbSJens Wiklander const unsigned char *input, unsigned char *output, 150817466cbSJens Wiklander unsigned char *tag, size_t tag_len ) 151817466cbSJens Wiklander { 152817466cbSJens Wiklander int ret; 153817466cbSJens Wiklander unsigned char i; 154817466cbSJens Wiklander unsigned char q; 155817466cbSJens Wiklander size_t len_left, olen; 156817466cbSJens Wiklander unsigned char b[16]; 157817466cbSJens Wiklander unsigned char y[16]; 158817466cbSJens Wiklander unsigned char ctr[16]; 159817466cbSJens Wiklander const unsigned char *src; 160817466cbSJens Wiklander unsigned char *dst; 161817466cbSJens Wiklander 162817466cbSJens Wiklander /* 163817466cbSJens Wiklander * Check length requirements: SP800-38C A.1 164817466cbSJens Wiklander * Additional requirement: a < 2^16 - 2^8 to simplify the code. 165817466cbSJens Wiklander * 'length' checked later (when writing it to the first block) 166*3d3b0591SJens Wiklander * 167*3d3b0591SJens Wiklander * Also, loosen the requirements to enable support for CCM* (IEEE 802.15.4). 168817466cbSJens Wiklander */ 169*3d3b0591SJens Wiklander if( tag_len == 2 || tag_len > 16 || tag_len % 2 != 0 ) 170817466cbSJens Wiklander return( MBEDTLS_ERR_CCM_BAD_INPUT ); 171817466cbSJens Wiklander 172817466cbSJens Wiklander /* Also implies q is within bounds */ 173817466cbSJens Wiklander if( iv_len < 7 || iv_len > 13 ) 174817466cbSJens Wiklander return( MBEDTLS_ERR_CCM_BAD_INPUT ); 175817466cbSJens Wiklander 176817466cbSJens Wiklander if( add_len > 0xFF00 ) 177817466cbSJens Wiklander return( MBEDTLS_ERR_CCM_BAD_INPUT ); 178817466cbSJens Wiklander 179817466cbSJens Wiklander q = 16 - 1 - (unsigned char) iv_len; 180817466cbSJens Wiklander 181817466cbSJens Wiklander /* 182817466cbSJens Wiklander * First block B_0: 183817466cbSJens Wiklander * 0 .. 0 flags 184817466cbSJens Wiklander * 1 .. iv_len nonce (aka iv) 185817466cbSJens Wiklander * iv_len+1 .. 15 length 186817466cbSJens Wiklander * 187817466cbSJens Wiklander * With flags as (bits): 188817466cbSJens Wiklander * 7 0 189817466cbSJens Wiklander * 6 add present? 190817466cbSJens Wiklander * 5 .. 3 (t - 2) / 2 191817466cbSJens Wiklander * 2 .. 0 q - 1 192817466cbSJens Wiklander */ 193817466cbSJens Wiklander b[0] = 0; 194817466cbSJens Wiklander b[0] |= ( add_len > 0 ) << 6; 195817466cbSJens Wiklander b[0] |= ( ( tag_len - 2 ) / 2 ) << 3; 196817466cbSJens Wiklander b[0] |= q - 1; 197817466cbSJens Wiklander 198817466cbSJens Wiklander memcpy( b + 1, iv, iv_len ); 199817466cbSJens Wiklander 200817466cbSJens Wiklander for( i = 0, len_left = length; i < q; i++, len_left >>= 8 ) 201817466cbSJens Wiklander b[15-i] = (unsigned char)( len_left & 0xFF ); 202817466cbSJens Wiklander 203817466cbSJens Wiklander if( len_left > 0 ) 204817466cbSJens Wiklander return( MBEDTLS_ERR_CCM_BAD_INPUT ); 205817466cbSJens Wiklander 206817466cbSJens Wiklander 207817466cbSJens Wiklander /* Start CBC-MAC with first block */ 208817466cbSJens Wiklander memset( y, 0, 16 ); 209817466cbSJens Wiklander UPDATE_CBC_MAC; 210817466cbSJens Wiklander 211817466cbSJens Wiklander /* 212817466cbSJens Wiklander * If there is additional data, update CBC-MAC with 213817466cbSJens Wiklander * add_len, add, 0 (padding to a block boundary) 214817466cbSJens Wiklander */ 215817466cbSJens Wiklander if( add_len > 0 ) 216817466cbSJens Wiklander { 217817466cbSJens Wiklander size_t use_len; 218817466cbSJens Wiklander len_left = add_len; 219817466cbSJens Wiklander src = add; 220817466cbSJens Wiklander 221817466cbSJens Wiklander memset( b, 0, 16 ); 222817466cbSJens Wiklander b[0] = (unsigned char)( ( add_len >> 8 ) & 0xFF ); 223817466cbSJens Wiklander b[1] = (unsigned char)( ( add_len ) & 0xFF ); 224817466cbSJens Wiklander 225817466cbSJens Wiklander use_len = len_left < 16 - 2 ? len_left : 16 - 2; 226817466cbSJens Wiklander memcpy( b + 2, src, use_len ); 227817466cbSJens Wiklander len_left -= use_len; 228817466cbSJens Wiklander src += use_len; 229817466cbSJens Wiklander 230817466cbSJens Wiklander UPDATE_CBC_MAC; 231817466cbSJens Wiklander 232817466cbSJens Wiklander while( len_left > 0 ) 233817466cbSJens Wiklander { 234817466cbSJens Wiklander use_len = len_left > 16 ? 16 : len_left; 235817466cbSJens Wiklander 236817466cbSJens Wiklander memset( b, 0, 16 ); 237817466cbSJens Wiklander memcpy( b, src, use_len ); 238817466cbSJens Wiklander UPDATE_CBC_MAC; 239817466cbSJens Wiklander 240817466cbSJens Wiklander len_left -= use_len; 241817466cbSJens Wiklander src += use_len; 242817466cbSJens Wiklander } 243817466cbSJens Wiklander } 244817466cbSJens Wiklander 245817466cbSJens Wiklander /* 246817466cbSJens Wiklander * Prepare counter block for encryption: 247817466cbSJens Wiklander * 0 .. 0 flags 248817466cbSJens Wiklander * 1 .. iv_len nonce (aka iv) 249817466cbSJens Wiklander * iv_len+1 .. 15 counter (initially 1) 250817466cbSJens Wiklander * 251817466cbSJens Wiklander * With flags as (bits): 252817466cbSJens Wiklander * 7 .. 3 0 253817466cbSJens Wiklander * 2 .. 0 q - 1 254817466cbSJens Wiklander */ 255817466cbSJens Wiklander ctr[0] = q - 1; 256817466cbSJens Wiklander memcpy( ctr + 1, iv, iv_len ); 257817466cbSJens Wiklander memset( ctr + 1 + iv_len, 0, q ); 258817466cbSJens Wiklander ctr[15] = 1; 259817466cbSJens Wiklander 260817466cbSJens Wiklander /* 261817466cbSJens Wiklander * Authenticate and {en,de}crypt the message. 262817466cbSJens Wiklander * 263817466cbSJens Wiklander * The only difference between encryption and decryption is 264817466cbSJens Wiklander * the respective order of authentication and {en,de}cryption. 265817466cbSJens Wiklander */ 266817466cbSJens Wiklander len_left = length; 267817466cbSJens Wiklander src = input; 268817466cbSJens Wiklander dst = output; 269817466cbSJens Wiklander 270817466cbSJens Wiklander while( len_left > 0 ) 271817466cbSJens Wiklander { 272817466cbSJens Wiklander size_t use_len = len_left > 16 ? 16 : len_left; 273817466cbSJens Wiklander 274817466cbSJens Wiklander if( mode == CCM_ENCRYPT ) 275817466cbSJens Wiklander { 276817466cbSJens Wiklander memset( b, 0, 16 ); 277817466cbSJens Wiklander memcpy( b, src, use_len ); 278817466cbSJens Wiklander UPDATE_CBC_MAC; 279817466cbSJens Wiklander } 280817466cbSJens Wiklander 281817466cbSJens Wiklander CTR_CRYPT( dst, src, use_len ); 282817466cbSJens Wiklander 283817466cbSJens Wiklander if( mode == CCM_DECRYPT ) 284817466cbSJens Wiklander { 285817466cbSJens Wiklander memset( b, 0, 16 ); 286817466cbSJens Wiklander memcpy( b, dst, use_len ); 287817466cbSJens Wiklander UPDATE_CBC_MAC; 288817466cbSJens Wiklander } 289817466cbSJens Wiklander 290817466cbSJens Wiklander dst += use_len; 291817466cbSJens Wiklander src += use_len; 292817466cbSJens Wiklander len_left -= use_len; 293817466cbSJens Wiklander 294817466cbSJens Wiklander /* 295817466cbSJens Wiklander * Increment counter. 296817466cbSJens Wiklander * No need to check for overflow thanks to the length check above. 297817466cbSJens Wiklander */ 298817466cbSJens Wiklander for( i = 0; i < q; i++ ) 299817466cbSJens Wiklander if( ++ctr[15-i] != 0 ) 300817466cbSJens Wiklander break; 301817466cbSJens Wiklander } 302817466cbSJens Wiklander 303817466cbSJens Wiklander /* 304817466cbSJens Wiklander * Authentication: reset counter and crypt/mask internal tag 305817466cbSJens Wiklander */ 306817466cbSJens Wiklander for( i = 0; i < q; i++ ) 307817466cbSJens Wiklander ctr[15-i] = 0; 308817466cbSJens Wiklander 309817466cbSJens Wiklander CTR_CRYPT( y, y, 16 ); 310817466cbSJens Wiklander memcpy( tag, y, tag_len ); 311817466cbSJens Wiklander 312817466cbSJens Wiklander return( 0 ); 313817466cbSJens Wiklander } 314817466cbSJens Wiklander 315817466cbSJens Wiklander /* 316817466cbSJens Wiklander * Authenticated encryption 317817466cbSJens Wiklander */ 318*3d3b0591SJens Wiklander int mbedtls_ccm_star_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length, 319*3d3b0591SJens Wiklander const unsigned char *iv, size_t iv_len, 320*3d3b0591SJens Wiklander const unsigned char *add, size_t add_len, 321*3d3b0591SJens Wiklander const unsigned char *input, unsigned char *output, 322*3d3b0591SJens Wiklander unsigned char *tag, size_t tag_len ) 323*3d3b0591SJens Wiklander { 324*3d3b0591SJens Wiklander CCM_VALIDATE_RET( ctx != NULL ); 325*3d3b0591SJens Wiklander CCM_VALIDATE_RET( iv != NULL ); 326*3d3b0591SJens Wiklander CCM_VALIDATE_RET( add_len == 0 || add != NULL ); 327*3d3b0591SJens Wiklander CCM_VALIDATE_RET( length == 0 || input != NULL ); 328*3d3b0591SJens Wiklander CCM_VALIDATE_RET( length == 0 || output != NULL ); 329*3d3b0591SJens Wiklander CCM_VALIDATE_RET( tag_len == 0 || tag != NULL ); 330*3d3b0591SJens Wiklander return( ccm_auth_crypt( ctx, CCM_ENCRYPT, length, iv, iv_len, 331*3d3b0591SJens Wiklander add, add_len, input, output, tag, tag_len ) ); 332*3d3b0591SJens Wiklander } 333*3d3b0591SJens Wiklander 334817466cbSJens Wiklander int mbedtls_ccm_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length, 335817466cbSJens Wiklander const unsigned char *iv, size_t iv_len, 336817466cbSJens Wiklander const unsigned char *add, size_t add_len, 337817466cbSJens Wiklander const unsigned char *input, unsigned char *output, 338817466cbSJens Wiklander unsigned char *tag, size_t tag_len ) 339817466cbSJens Wiklander { 340*3d3b0591SJens Wiklander CCM_VALIDATE_RET( ctx != NULL ); 341*3d3b0591SJens Wiklander CCM_VALIDATE_RET( iv != NULL ); 342*3d3b0591SJens Wiklander CCM_VALIDATE_RET( add_len == 0 || add != NULL ); 343*3d3b0591SJens Wiklander CCM_VALIDATE_RET( length == 0 || input != NULL ); 344*3d3b0591SJens Wiklander CCM_VALIDATE_RET( length == 0 || output != NULL ); 345*3d3b0591SJens Wiklander CCM_VALIDATE_RET( tag_len == 0 || tag != NULL ); 346*3d3b0591SJens Wiklander if( tag_len == 0 ) 347*3d3b0591SJens Wiklander return( MBEDTLS_ERR_CCM_BAD_INPUT ); 348*3d3b0591SJens Wiklander 349*3d3b0591SJens Wiklander return( mbedtls_ccm_star_encrypt_and_tag( ctx, length, iv, iv_len, add, 350*3d3b0591SJens Wiklander add_len, input, output, tag, tag_len ) ); 351817466cbSJens Wiklander } 352817466cbSJens Wiklander 353817466cbSJens Wiklander /* 354817466cbSJens Wiklander * Authenticated decryption 355817466cbSJens Wiklander */ 356*3d3b0591SJens Wiklander int mbedtls_ccm_star_auth_decrypt( mbedtls_ccm_context *ctx, size_t length, 357817466cbSJens Wiklander const unsigned char *iv, size_t iv_len, 358817466cbSJens Wiklander const unsigned char *add, size_t add_len, 359817466cbSJens Wiklander const unsigned char *input, unsigned char *output, 360817466cbSJens Wiklander const unsigned char *tag, size_t tag_len ) 361817466cbSJens Wiklander { 362817466cbSJens Wiklander int ret; 363817466cbSJens Wiklander unsigned char check_tag[16]; 364817466cbSJens Wiklander unsigned char i; 365817466cbSJens Wiklander int diff; 366817466cbSJens Wiklander 367*3d3b0591SJens Wiklander CCM_VALIDATE_RET( ctx != NULL ); 368*3d3b0591SJens Wiklander CCM_VALIDATE_RET( iv != NULL ); 369*3d3b0591SJens Wiklander CCM_VALIDATE_RET( add_len == 0 || add != NULL ); 370*3d3b0591SJens Wiklander CCM_VALIDATE_RET( length == 0 || input != NULL ); 371*3d3b0591SJens Wiklander CCM_VALIDATE_RET( length == 0 || output != NULL ); 372*3d3b0591SJens Wiklander CCM_VALIDATE_RET( tag_len == 0 || tag != NULL ); 373*3d3b0591SJens Wiklander 374817466cbSJens Wiklander if( ( ret = ccm_auth_crypt( ctx, CCM_DECRYPT, length, 375817466cbSJens Wiklander iv, iv_len, add, add_len, 376817466cbSJens Wiklander input, output, check_tag, tag_len ) ) != 0 ) 377817466cbSJens Wiklander { 378817466cbSJens Wiklander return( ret ); 379817466cbSJens Wiklander } 380817466cbSJens Wiklander 381817466cbSJens Wiklander /* Check tag in "constant-time" */ 382817466cbSJens Wiklander for( diff = 0, i = 0; i < tag_len; i++ ) 383817466cbSJens Wiklander diff |= tag[i] ^ check_tag[i]; 384817466cbSJens Wiklander 385817466cbSJens Wiklander if( diff != 0 ) 386817466cbSJens Wiklander { 387*3d3b0591SJens Wiklander mbedtls_platform_zeroize( output, length ); 388817466cbSJens Wiklander return( MBEDTLS_ERR_CCM_AUTH_FAILED ); 389817466cbSJens Wiklander } 390817466cbSJens Wiklander 391817466cbSJens Wiklander return( 0 ); 392817466cbSJens Wiklander } 393817466cbSJens Wiklander 394*3d3b0591SJens Wiklander int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length, 395*3d3b0591SJens Wiklander const unsigned char *iv, size_t iv_len, 396*3d3b0591SJens Wiklander const unsigned char *add, size_t add_len, 397*3d3b0591SJens Wiklander const unsigned char *input, unsigned char *output, 398*3d3b0591SJens Wiklander const unsigned char *tag, size_t tag_len ) 399*3d3b0591SJens Wiklander { 400*3d3b0591SJens Wiklander CCM_VALIDATE_RET( ctx != NULL ); 401*3d3b0591SJens Wiklander CCM_VALIDATE_RET( iv != NULL ); 402*3d3b0591SJens Wiklander CCM_VALIDATE_RET( add_len == 0 || add != NULL ); 403*3d3b0591SJens Wiklander CCM_VALIDATE_RET( length == 0 || input != NULL ); 404*3d3b0591SJens Wiklander CCM_VALIDATE_RET( length == 0 || output != NULL ); 405*3d3b0591SJens Wiklander CCM_VALIDATE_RET( tag_len == 0 || tag != NULL ); 406*3d3b0591SJens Wiklander 407*3d3b0591SJens Wiklander if( tag_len == 0 ) 408*3d3b0591SJens Wiklander return( MBEDTLS_ERR_CCM_BAD_INPUT ); 409*3d3b0591SJens Wiklander 410*3d3b0591SJens Wiklander return( mbedtls_ccm_star_auth_decrypt( ctx, length, iv, iv_len, add, 411*3d3b0591SJens Wiklander add_len, input, output, tag, tag_len ) ); 412*3d3b0591SJens Wiklander } 413*3d3b0591SJens Wiklander #endif /* !MBEDTLS_CCM_ALT */ 414817466cbSJens Wiklander 415817466cbSJens Wiklander #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C) 416817466cbSJens Wiklander /* 417817466cbSJens Wiklander * Examples 1 to 3 from SP800-38C Appendix C 418817466cbSJens Wiklander */ 419817466cbSJens Wiklander 420817466cbSJens Wiklander #define NB_TESTS 3 421*3d3b0591SJens Wiklander #define CCM_SELFTEST_PT_MAX_LEN 24 422*3d3b0591SJens Wiklander #define CCM_SELFTEST_CT_MAX_LEN 32 423817466cbSJens Wiklander /* 424817466cbSJens Wiklander * The data is the same for all tests, only the used length changes 425817466cbSJens Wiklander */ 426817466cbSJens Wiklander static const unsigned char key[] = { 427817466cbSJens Wiklander 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 428817466cbSJens Wiklander 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f 429817466cbSJens Wiklander }; 430817466cbSJens Wiklander 431817466cbSJens Wiklander static const unsigned char iv[] = { 432817466cbSJens Wiklander 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 433817466cbSJens Wiklander 0x18, 0x19, 0x1a, 0x1b 434817466cbSJens Wiklander }; 435817466cbSJens Wiklander 436817466cbSJens Wiklander static const unsigned char ad[] = { 437817466cbSJens Wiklander 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 438817466cbSJens Wiklander 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 439817466cbSJens Wiklander 0x10, 0x11, 0x12, 0x13 440817466cbSJens Wiklander }; 441817466cbSJens Wiklander 442*3d3b0591SJens Wiklander static const unsigned char msg[CCM_SELFTEST_PT_MAX_LEN] = { 443817466cbSJens Wiklander 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 444817466cbSJens Wiklander 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 445817466cbSJens Wiklander 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 446817466cbSJens Wiklander }; 447817466cbSJens Wiklander 448817466cbSJens Wiklander static const size_t iv_len [NB_TESTS] = { 7, 8, 12 }; 449817466cbSJens Wiklander static const size_t add_len[NB_TESTS] = { 8, 16, 20 }; 450817466cbSJens Wiklander static const size_t msg_len[NB_TESTS] = { 4, 16, 24 }; 451817466cbSJens Wiklander static const size_t tag_len[NB_TESTS] = { 4, 6, 8 }; 452817466cbSJens Wiklander 453*3d3b0591SJens Wiklander static const unsigned char res[NB_TESTS][CCM_SELFTEST_CT_MAX_LEN] = { 454817466cbSJens Wiklander { 0x71, 0x62, 0x01, 0x5b, 0x4d, 0xac, 0x25, 0x5d }, 455817466cbSJens Wiklander { 0xd2, 0xa1, 0xf0, 0xe0, 0x51, 0xea, 0x5f, 0x62, 456817466cbSJens Wiklander 0x08, 0x1a, 0x77, 0x92, 0x07, 0x3d, 0x59, 0x3d, 457817466cbSJens Wiklander 0x1f, 0xc6, 0x4f, 0xbf, 0xac, 0xcd }, 458817466cbSJens Wiklander { 0xe3, 0xb2, 0x01, 0xa9, 0xf5, 0xb7, 0x1a, 0x7a, 459817466cbSJens Wiklander 0x9b, 0x1c, 0xea, 0xec, 0xcd, 0x97, 0xe7, 0x0b, 460817466cbSJens Wiklander 0x61, 0x76, 0xaa, 0xd9, 0xa4, 0x42, 0x8a, 0xa5, 461817466cbSJens Wiklander 0x48, 0x43, 0x92, 0xfb, 0xc1, 0xb0, 0x99, 0x51 } 462817466cbSJens Wiklander }; 463817466cbSJens Wiklander 464817466cbSJens Wiklander int mbedtls_ccm_self_test( int verbose ) 465817466cbSJens Wiklander { 466817466cbSJens Wiklander mbedtls_ccm_context ctx; 467*3d3b0591SJens Wiklander /* 468*3d3b0591SJens Wiklander * Some hardware accelerators require the input and output buffers 469*3d3b0591SJens Wiklander * would be in RAM, because the flash is not accessible. 470*3d3b0591SJens Wiklander * Use buffers on the stack to hold the test vectors data. 471*3d3b0591SJens Wiklander */ 472*3d3b0591SJens Wiklander unsigned char plaintext[CCM_SELFTEST_PT_MAX_LEN]; 473*3d3b0591SJens Wiklander unsigned char ciphertext[CCM_SELFTEST_CT_MAX_LEN]; 474817466cbSJens Wiklander size_t i; 475817466cbSJens Wiklander int ret; 476817466cbSJens Wiklander 477817466cbSJens Wiklander mbedtls_ccm_init( &ctx ); 478817466cbSJens Wiklander 479817466cbSJens Wiklander if( mbedtls_ccm_setkey( &ctx, MBEDTLS_CIPHER_ID_AES, key, 8 * sizeof key ) != 0 ) 480817466cbSJens Wiklander { 481817466cbSJens Wiklander if( verbose != 0 ) 482817466cbSJens Wiklander mbedtls_printf( " CCM: setup failed" ); 483817466cbSJens Wiklander 484817466cbSJens Wiklander return( 1 ); 485817466cbSJens Wiklander } 486817466cbSJens Wiklander 487817466cbSJens Wiklander for( i = 0; i < NB_TESTS; i++ ) 488817466cbSJens Wiklander { 489817466cbSJens Wiklander if( verbose != 0 ) 490817466cbSJens Wiklander mbedtls_printf( " CCM-AES #%u: ", (unsigned int) i + 1 ); 491817466cbSJens Wiklander 492*3d3b0591SJens Wiklander memset( plaintext, 0, CCM_SELFTEST_PT_MAX_LEN ); 493*3d3b0591SJens Wiklander memset( ciphertext, 0, CCM_SELFTEST_CT_MAX_LEN ); 494*3d3b0591SJens Wiklander memcpy( plaintext, msg, msg_len[i] ); 495*3d3b0591SJens Wiklander 496817466cbSJens Wiklander ret = mbedtls_ccm_encrypt_and_tag( &ctx, msg_len[i], 497817466cbSJens Wiklander iv, iv_len[i], ad, add_len[i], 498*3d3b0591SJens Wiklander plaintext, ciphertext, 499*3d3b0591SJens Wiklander ciphertext + msg_len[i], tag_len[i] ); 500817466cbSJens Wiklander 501817466cbSJens Wiklander if( ret != 0 || 502*3d3b0591SJens Wiklander memcmp( ciphertext, res[i], msg_len[i] + tag_len[i] ) != 0 ) 503817466cbSJens Wiklander { 504817466cbSJens Wiklander if( verbose != 0 ) 505817466cbSJens Wiklander mbedtls_printf( "failed\n" ); 506817466cbSJens Wiklander 507817466cbSJens Wiklander return( 1 ); 508817466cbSJens Wiklander } 509*3d3b0591SJens Wiklander memset( plaintext, 0, CCM_SELFTEST_PT_MAX_LEN ); 510817466cbSJens Wiklander 511817466cbSJens Wiklander ret = mbedtls_ccm_auth_decrypt( &ctx, msg_len[i], 512817466cbSJens Wiklander iv, iv_len[i], ad, add_len[i], 513*3d3b0591SJens Wiklander ciphertext, plaintext, 514*3d3b0591SJens Wiklander ciphertext + msg_len[i], tag_len[i] ); 515817466cbSJens Wiklander 516817466cbSJens Wiklander if( ret != 0 || 517*3d3b0591SJens Wiklander memcmp( plaintext, msg, msg_len[i] ) != 0 ) 518817466cbSJens Wiklander { 519817466cbSJens Wiklander if( verbose != 0 ) 520817466cbSJens Wiklander mbedtls_printf( "failed\n" ); 521817466cbSJens Wiklander 522817466cbSJens Wiklander return( 1 ); 523817466cbSJens Wiklander } 524817466cbSJens Wiklander 525817466cbSJens Wiklander if( verbose != 0 ) 526817466cbSJens Wiklander mbedtls_printf( "passed\n" ); 527817466cbSJens Wiklander } 528817466cbSJens Wiklander 529817466cbSJens Wiklander mbedtls_ccm_free( &ctx ); 530817466cbSJens Wiklander 531817466cbSJens Wiklander if( verbose != 0 ) 532817466cbSJens Wiklander mbedtls_printf( "\n" ); 533817466cbSJens Wiklander 534817466cbSJens Wiklander return( 0 ); 535817466cbSJens Wiklander } 536817466cbSJens Wiklander 537817466cbSJens Wiklander #endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */ 538817466cbSJens Wiklander 539817466cbSJens Wiklander #endif /* MBEDTLS_CCM_C */ 540